Virus Bulletin, July 1994

ISSN 0956-9979 JULY 1994

THE INTERNATIONAL PUBLICATION ON COMPUTER VIRUS PREVENTION, RECOGNITION AND REMOVAL

Editor: Richard Ford CONTENTS Technical Editor: Fridrik Skulason

Consulting Editor: Edward Wilding, EDITORIAL Network Security Management, UK Fire! 2

VIRUS PREVALENCE TABLE 3

NEWS Junkie Mail 3 VB 94 Conference on Track 3 Chill Out! 3 IN THIS ISSUE: IBM PC VIRUSES (UPDATE) 4 Scanner Update. The latest comparative review includes 27 anti-virus products. Find out which products FEATURE have kept up and which have fallen behind on pp.14-19. The Ludwig Collection 6

Viruses for Sale. Mark Ludwig has released a VIRUS ANALYSES CD-ROM containing thousands of viruses, including 1. Stealth.B: Invisible Fire 8 many new ones. What are the contents of The Collection, 2. Argyle: Viruses and the i386 10 and what are the implications for the industry? COMPARATIVE REVIEW Information Junkie. According to Reflex Inc, the latest The Review, Reviewed 12 virus to hit the streets is the new and dangerous Junkie VB Scanner Review: July 94 14 virus. An evaluation of the genuine threat to systems is given on p.3. PRODUCT REVIEW Norton on NetWare 20

REVIEW Virus: Prevention, Detection, Recovery 23

END NOTES & NEWS 24

VIRUS BULLETIN ©1994 Virus Bulletin Ltd, 21 The Quadrant, Abingdon, Oxfordshire, OX14 3YS, England. Tel. +44 (0)235 555139. /94/$0.00+2.50 No part of this publication may be reproduced, stored in a retrieval system, or transmitted in any form without the prior written permission of the publishers. 2 • VIRUS BULLETIN JULY 1994

EDITORIAL

Fire!

Last months article on the Pathogen virus, which criticised the way it had been publicised, elicited a squeal of discomfort from Dr Alan Solomon, who believes that the S&S International press release was far from wholly unnecessary (see VB, June 1994, p.3). Claiming that his actions were in the users interest, he insists that the alert was legitimate. However, whether or not this is the case, it seems likely that the publicity generated did more harm than good.

When a new virus is first discovered, issuing a virus alert to product users is an attractive course of action, as it allows a new and unquantified threat to be dealt with in the quickest possible manner. If a user pays for protection from a company, he has some justification in expecting interim product updates if and when a new threat is discovered.

Whether or not one should inform the popular press about a new virus is a much more difficult decision. At what level of threat does a virus alert become more than simple market manipulation? The new and One sample found in the wild? Ten? One hundred? When a new virus is discovered, there is rarely dangerous Blanc- any data available on how widespread it is. This was the case with Pathogen - the outbreak could mange virus, have been an isolated incident, or it could have been the tip of an iceberg. With little information on undetectable by all prevalence, press releases were put out by three different UK companies. known anti-virus Once a decision to send out a press release has been made, things become still more difficult, as software, has been control will pass from the technical department to the marketing or PR department. An honest discovered running description of a new virus out in the wild might read as follows: We at Acme Virus Detection Inc. have discovered a new virus named Blancmange at approximately 15 sites. The virus is not detected wild on UK ma- by the current version of our anti-virus software. Although there is no cause for alarm, users are chines urged to add the following driver file Such a report is factual, causes no panic and stands little or no chance of being published. However, thirty minutes after entering the PR office, the report might appear in a slightly different form: The new and dangerous Blancmange virus, undetectable by all known anti-virus software, has been discovered running wild on UK machines by Acme Virus Detection Inc. Currently, no other product except Acmes own AcmeScan can

This puts an anti-virus software developer in a difficult position. Assuming he genuinely wants to alert the public to a potential threat, he will only get coverage by dramatising the situation. A calm, measured response is not news. Therefore, the spiced up release is distributed, and the marketing machine grinds away, the original motive for the warning long forgotten.

There is no easy way out of this loop. S&S International is not the only company ever to obtain press coverage by releasing news of a new virus, and is certainly not the worst offender - it is in the company of several other major players in the industry. Secure Computing described Pathogen as spreading widely, while Reflex Inc (the USA vendors of Disknet) claims that the latest threat to security, the Junkie virus, is a new generation and of special concern. Such claims are counter- productive at best, and at worst leave the companies open to accusations of scare-mongering and market manipulation. When warning of a new virus, vendors should stick closely to the facts.

One possible solution to this problem is that all companies take a measured response to new viruses. When the threat is believed to be small, nothing need be done until the next product update. When the threat is unknown, a factual warning should be issued to all product users. Finally, only when the threat is known to be large, with a significant number of sites infected, should a press campaign be launched. Until the extent of a problem is known, there is no justification for spreading alarm.

The current situation is rather like that of the company fire officer who holds too many fire drills: the people in the building will eventually assume that the cry of Fire! does not require immediate action, merely a slow wander from the premises. The virus industry is putting itself in the same position by sending out misleading stories concerning the latest and greatest virus which is in the wild. How hard will it be to convince people when the threat is much larger?

NEWS Virus Prevalence Table - May 1994

Junkie Mail Virus Incidents (%) Reports

The latest virus to hit the headlines is Junkie, which, Form 21 40.4% according to a press release sent out by Reflex Inc, the Stoned 7 13.5% American reseller of Disknet, is of special concern. The JackRipper 3 5.8% press release (entitled Junkie - New Generation of Barrotes 2 3.9% Viruses Discovered: Nearly Undetectable, Dangerously Infectious) details how the virus was discovered in the wild, Cascade 2 3.9% in Ann Arbor, Michigan, USA. However, Reflex has had no Exebug.4 2 3.9% other reports of the virus in the wild since. NoInt 2 3.9% Analysis of the Junkie virus reveals that it is mildly poly- Spanish_Trojan 2 3.9% morphic, and capable of infecting both COM files and the V-Sign 2 3.9% Master Boot Sector of fixed disks. The virus contains no Anti-CMOS 1 1.9% trigger routine, and is described by Fridrik Skulason, author Dinamo 1 1.9% of F-Prot, as unremarkable. This description is entirely at odds with the semi-hysterical comments made by Reflex. DIR_II 1 1.9% Form.B 1 1.9% Commenting on the press release, Mr Frank Horowitz of Reflex Inc said, It was never our intention to cause panic. Michelangelo 1 1.9% We didnt mean to imply that Junkie would bring down Pathogen 1 1.9% every computer in the world, but to alert the user to the PS-Dropper 1 1.9% dangers of the new generation of viruses. If we succeed in Tequila 1 1.9% getting this message across to just one user, thats great! He went on further to say that such a press release could just as YMP 1 1.9% easily have been written about Pathogen or Chill, and was Total 52 100.0% meant to be a warning to both vendors and users. Horowitz stated that he had tried to point out that, despite the fact that this virus was no Michelangelo, the computer community had been lulled into a false sense of security ❚ Chill Out! VB ’94 Conference on Track A new virus has been found in nine files stored in the PBS Forum on ZiffNet. According to an Email message sent out The fourth annual VB Conference will be held in Jersey on by Katherine Prouty, ZiffNet Forums Manager, the virus, 8/9 September. Internationally recognised experts will speak known as Chill, was only on the forum between the dates of on topics ranging from Viruses in the Wild (Joe Wells), 3 June and 14 June. through The Computer Underground (Dr Alan Solomon), The Email goes on to explain that the virus did not originate to NetWare Security (Stephen Cobb). Delegates from in these files; versions of the programs downloaded before 3 every corner of the globe have registered: more than 25 June are absolutely fine. When asked how it was that the countries are now represented, including the first-ever files were uploaded uninfected, and later infected by the delegates from Hong Kong and Japan. virus, Prouty was unwilling to comment, saying that it Linked to the event this year is an exhibition by anti-virus would be a few weeks before a complete story could be product developers. Particular interest has been shown in the put together. fact that manufacturers will be able, for the first time, to target the VB readership directly, and to promote their The Chill virus is a simple memory-resident COM-file products at an international venue. infector, which contains code intended to reformat part of the hard drive. It is 544 bytes in length, and is encrypted Conference costs are £595.00 (with a £50.00 discount to VB with a simple XOR algorithm. Updates of both F-Prot and subscribers), and, once again, Expotel International Travel Norton Anti-Virus which can detect the Chill virus are Group has been appointed to co-ordinate travel arrange- available from ZiffNet. ments and accomodation for delegates. Conference proceed- ings are available at £50.00 per copy from mid-September, There is little cause for concern except for those worried that for those unable to attend (apply to VB offices). they may have downloaded an infected file, although full record of downloads have been kept, and all recipients For further information, please contact Petra Duffield. contacted. Further information is available from Prouty, ❚ Tel. +44 (0)235 531889 Fax +44 (0)235 559935 ❚ whose Email address is 72241,[email protected]

IBM PC VIRUSES (UPDATE)

The following is a list of updates and amendments to the Virus Bulletin Table of Known IBM PC Viruses as Type Codes of 20 June 1994. Each entry consists of the virus name, its aliases (if any) and the virus type. This is followed C Infects COM files M Infects Master Boot Sector (Track 0, Head 0, Sector 1) by a short description (if available) and a 24-byte D Infects DOS Boot Sector hexadecimal search pattern to detect the presence of the (logical sector 0 on disk) N Not memory-resident virus with a disk utility or a dedicated scanner which E Infects EXE files P Companion virus contains a user-updatable pattern library. L Link virus R Memory-resident after infection

Burger.560.AS CN: Another minor variant of this silly overwriting virus. Detected with the Burger pattern. Freddy 2.1 CER: This is a variably-sized polymorphic virus, which is widespread in South America, and Brazil in particular. No search pattern is possible. Grog CN: The Italian Grog family is not a real family, but a collection of different viruses written by the same person(s). All contain the word Grog, and many have text strings in Italian. Some are destructive, others are not. They may infect COM or EXE files, and have varied internal structure. Many seem based on older viruses, but are heavily modified, e.g. using different registers for indexing. Current Grog viruses include Aver_Torto (CN, 647 bytes), Bruchetto (CN, 474 bytes, overwriting), Delirious (CN, 304 bytes, overwriting), Hop (480 bytes, overwrites COM files), Il_Mostro (CN, 660 bytes, detected with the Darth_Vader pattern, but a different pattern is included below) Joe_Anthro (CN, 589 bytes), Metafora (replaces COM files, renames original to EXE), Noncemale (CN, 796 bytes), Ovile (CER, 1417 bytes), Public_Enemy (CN, 800 bytes), Razor (CN, 801 bytes), Sempre (CEN, 373 bytes, overwriting), Trumpery (CN, 202 bytes, overwriting), Villino (CN, 547 bytes) and Wild_Cards (CN, 798 bytes). Grog.Aver_Torto B802 3DBA F6D6 CD21 8BD8 B43F B903 00BA FD00 CD21 803E FD00 Grog.Bruchetto B802 3DCD 2193 33ED 33C9 33D2 B802 42CD 2183 FA00 7403 E9B6 Grog.Delirious B802 3DCD 2172 3093 B904 00BA 4B01 03D5 8BF2 B43F CD21 ADAD Grog.Hop B800 3DBA 89EA CD21 93BA 60E6 E8E9 0080 3E60 E6E8 74BF BE63 Grog.Il_Mostro B802 3DCD 218B D8B9 0300 BAFD 00B4 3FCD 2180 3EFD 00E9 7401 Grog.Joe_Anthro B800 3D8D 966E 03CD 2193 53B8 2012 CD2F B816 1226 8A1D CD2F Grog.Metafora B800 3D61 720D 9362 6360 B960 E9BA 0001 B43F C333 C050 60C3 Grog.Noncemale B802 3DCD 2172 9393 B43F 8DBC 0601 8BD7 B904 00CD 2172 5380 Grog.Ovile 80FC 3D74 1280 FC4B 740D 3D00 6C75 0580 FB00 7403 E9B2 0006 Grog.Public_Enemy B800 3D8D 9641 04CD 2193 53B8 2012 CD2F EB12 4707 7207 6F07 Grog.Razor B800 3D8D 9642 04CD 2193 53B8 2012 CD2F EB12 4707 7207 6F07 Grog.Sempre 803F E974 0F80 3FE8 740A 59E2 D083 06FE 0003 EBA7 8BF3 BF76 Grog.Trumpery B800 3DCD 2172 3F93 53B8 2012 CD2F B816 1226 8A1D CD2F 26C6 Grog.Villino B800 3DCD 218B D8B9 0300 8D95 4502 B43F CD21 B802 4299 5259 Grog.Wild_Cards B800 3D8D 963F 04CD 2193 53B8 2012 CD2F EB12 4707 7207 6F07 Gusano EN: This virus is also known as Buen_Dia. Both names derive from a text in the virus: BUEN DIA!!! Yo soy un GUSANO. Gusano B802 3D8D 16FF 01CD 218B D8E8 C200 7403 E82A 00B4 3ECD 21B4 Helloween.1063 CER: A 1063-byte variant. Awaiting analysis. Helloween.1063 B43F EB02 B43E E815 0072 022B C1C3 33C9 33D2 B802 41EB 0733 Hiperion.249 CR: Awaiting analysis. Hiperion 9C50 80FC 4B75 1153 5156 1E52 5533 EDE8 0D00 5D5A 1F5E 595B HLLO.Orion EN: A simple overwriting virus which does not seem to work properly. No search pattern will be given, due to the high risk of false positives. HOT CN: This 130-byte-long virus contains the text This is hot!, but is otherwise unremarkable. It overwrites any file with a name matching *.C*, that is COM files, C source files and others. Like other overwriting viruses, it has practically no chance of spreading. Hot B842 3DCD 2193 B420 D0E4 B182 BA00 01CD 21C3 B42C CD21 8ACA Icelandic.655 ER: The first new variant of this family to appear in a long time. Icelandic.655 2EC6 0686 020A 5053 5152 561E 8BDA 4380 3F2E 740D 803F 0075

Jerusalem.1808.Standard.AO CER: A minor variant, detected with the Jerusalem-US pattern. The first few bytes of infected COM files seem to be corrupted. Jerusalem.Sunday.Satan CER: A minor variant, with little but text strings changed. Detected with the Sunday pattern. Jerusalem.Tarapa.B CER: This 2064-byte variant is detected with the Jeru-1735 pattern. Junkie MCR: A 1027-byte encrypted multi-partite virus which is in the wild. It contains the text Dr White - Sweden 1994, which might indicate that it was written in Sweden. Junkie received some media attention recently, mostly undeserved - it is not a technically remarkable virus. Junkie (File) B9F4 0126 8134 ???? 4646 E2F7 Junkie (MBS) 33FF BE00 7CFA 8BE6 8ED7 FB8E C7B8 0202 BB00 7EB9 0400 BA80 Khizhnjak.642 CN: A 642-byte virus of Russian origin. Khizhnjak.642 B43D B002 CD21 1F73 03E9 9000 EB14 901E 2EA1 2C00 8ED8 BA08 Natas MCER: A 4744-byte multi-partite virus written by the author of Satanbug. It is polymorphic, with no search string possible. Currently reported as a significant problem in Mexico. PS-MPC CER, EN: This months encrypted variants are 606.D (CER), ARCV-1.731 (CER), Powermen.718 (CER) and Tim.500 (EN). The non-encrypted variants are 212 and Tim.405 (EN). Satan CN: Two variants, 602 and 612 bytes long, related to the virus reported as Liquid. Satan.602 8BD5 81C2 0402 CD21 B900 00B8 0242 8BD1 CD21 2D03 008B F581 Satan.612 8BD5 81C2 2102 CD21 B802 42B9 0000 8BD1 CD21 2D03 008B F581 Slash ER: A 457-byte virus. Awaiting analysis. Slash 3D00 4B74 133D 013D 7405 80FC 3D74 099C 2EFF 1E05 01CA 0200 Slub CR: A 1024-byte virus of East European (probably Polish) origin. Not fully analysed, but contains the strings c:\autoexec.bat and c:\slubdestr.n23. Slub F8F9 5053 5152 061E 80FC 4C74 2E80 FC4B 7429 EB18 90B4 2C9C Sluknov CR: This 871-byte long virus uses encryption, with variable instructions, making the extraction of a simple search pattern impossible. SMEG CER: Two variants, Pathogen and Queeg, are known. Pathogen has already been described - Queeg is closely related to it, using a slightly more advanced polymorphic engine. Smoka ER: A 1024-byte virus containing a long encrypted message in Polish. Smoka B959 01BB A600 03D9 2E8A 0751 B104 D2C8 2E88 0759 E2ED 0E1F Sofia_Terminator CR: A couple of closely related Bulgarian viruses, 839 and 887 bytes long, containing the text Sofia 1993 by TERMINATOR. Sofia_Term 3D00 4B74 1A80 FC3D 7412 80FC 4174 0D80 FC56 7408 80FC 4374 Split CN: A 250-byte virus containing the string SPLIT. Awaiting analysis. Split B43D B002 8D96 2102 CD21 8BD8 B43F B904 008D BEDF 018B D7CD Stimp CN: Yet another Polish virus. This one is encrypted, 248 bytes long and contains the string STIMP- VIRUS made in Poland. Stimp 8B16 F601 BB05 01B9 5800 9031 1790 83C3 0290 E2F6 C3 Suriv_2.I ER: A very minor variant, detected with the Suriv_2.01 pattern. Swedish_Boys.Headache.441 CN: Closely related to the 457-byte virus originally named Headache. Contains the text Severe Head- Ache Virus V2.oo )+- Created by The Vile One & MaZ Copyright (c)1992 The BetaBoys Development Corp. -Sweden 04/19/92-. Headache.441 BB01 018A 27BB 0201 8A07 86C4 8BF0 B41A 8D94 B802 CD21 33C9 Sze CN: Two closely-related viruses, 314 and 351 bytes long. The viruses are of East European, possibly Hungarian, origin. Sze B802 3DBA 9E00 CD21 8BD8 B002 E8E8 FFA3 0300 8BCA 8BD0 83EA Vienna.Violator.707 CN: Another Vienna variant, not significantly different from those already known. Detected with the Violator pattern. Yankee_Doodle CER: New members of this old family still appear. The Login.2967 variant is detected by the pattern published for a virus originally named CZ2989, which should be named Yankee_Doodle.Login.2989. The TP.44.D variant is detected with the Yankee pattern. There are also two new encrypted variants, 2189 and Warlock, which require new patterns. The Warlock variant contains the text Revenge of WARLOCK!. Yankee_Doodle.2189 44A6 FE44 A78B FEB9 5007 2E8A BC20 0802 FEE8 B600 071F 58C3 Warlock 5B1E 068B F381 C621 008B FE0E 1F0E 0753 B97B 038B 5F01 FCAD

FEATURE

The Ludwig Collection disclaimer and a description of each of the principal subdirectories. Ludwig has grouped the files on the CD into fourteen different subjects, as follows: For several years, the anti-virus software industry has anticipated that somebody might turn the distribution of ALIFE Programs and documentation on non-viral computer viruses into a money-making enterprise. The first artificial life glimmer of such a trend began as early as 1987, with the ANTI-VIR Anti-virus programs and utilities launch of Ralph Burgers book Computer Viruses: A High Tech Disease, which featured live virus code. Soon after, HOSTS Examples of sacrificial goat programs others began to cash in, and there are now several different LIVE-VIR The main body of the CD; the live viruses books in a similar vein. directory, subdivided by virus family name The next step in the process was the launch of Mark NEWSLETR Newsletters and other literature Ludwigs magazine Computer Virus Developments Quar- terly. Claiming to be a publication aimed at the virus-aware OTHER-OS Viruses for non-DOS systems MIS manager, the magazine included material which would NEW_VIR New viruses help a reasonably inexperienced programmer develop his own virus code. American Eagle Inc also offers accompany- SOURCE Source code listings for viruses ing disks to the magazine, which include complete com- TESTBED A test-set of polymorphic viruses against mented source code for viruses such as Jerusalem. which to test virus scanners The most recent step in this chain of events is the publica- TOOLS A number of virus handling tools tion of Ludwigs $100 CD-ROM, blandly titled The Collec- TROJANS Trojan horse programs tion, Outlaws from Americas Wild West. Although this is not the first time virus code has been available to the general V-SIMUL Virus simulation programs public (VB, February 1993, p.2), the disk represents the VIR-INFO More text and virus information largest and most complete collection of virus information ever made available to a wide audience. VIRTOOLS Virus writing toolkits etc. The most interesting of these sections will now be consid- Weasel Words ered in turn. One of the first things which one notices about the CD- ROM is that the word virus is mentioned nowhere on the Live Viruses black and white cover or its flipside. Each cover is serial- The virus collection itself is very complete, and has 573 numbered, and contains the following message: subdirectories leading off it, each labelled with the name of NOTICE a particular virus family. Within each of these directories are a number of individual samples, attached to an American Retain this card! We anticipate updates to this CD-ROM, and this card is your proof of Eagle goat file. Each goat file contains a copyright message, ownership. To obtain updates at a special and displays the text Host #1 - You have just released a price, you will be asked to return this card virus when executed. with your order. It is worth noting that every virus in this part of the collec- Clearly, Ludwig has plans to continue his virus service, tion has been transferred to a new host file - a long and time- although the regularity or cost is not outlined anywhere. The consuming process, which when done properly prevents only other point of note about the cover is the following files which are incapable of replicating being included in the short disclaimer: The software on this CD-ROM is pro- virus collection. However, at least eight junk files have vided as-is without warranty or liability of any kind. The somehow slipped through. The cataloguing here follows the user assumes full responsibility for anything that happens as usage of the scanner F-Prot, and is sufficiently accurate that a result of executing any programs on this disk. it classifies subvariants of each virus (e.g. Cascade.1701.B).

Each infected file has a purely numerical name. The conven- Contents tion used is as follows: a three digit name (e.g. 002.COM) The disks contents are organised into a number of subdirec- indicates that the file is a replicating sample of the virus. A tories off the root directory. The only file in the root four digit name (e.g. 0003.COM) indicates that the file directory is named READ_OR_.DIE, and contains a lengthy appears to be infected, but does not seem to replicate.

Ludwig takes an unusual amount of care with the boot A complete set of virus creation toolkits is included on the sector viruses included in The Collection. These are supplied CD. Included in this group are VCL, G2, etc. - all the well- in one of three forms: a virus dropper program, an image file known construction toolkits are represented. Finally, there is of an infected disk, and a binary copy of an infected boot the obligatory collection of polymorphic virus engines such sector. Ludwig even goes to pains to make clear that the as TPE. These appear on other areas of the disk too: the final group will not replicate or function, and that the virus TESTBED directory contains 1000 copies each of MtE and code is often incomplete. TPE-infected files, apparently so that the user can test his anti-virus product against them. Although this live virus section will be of immediate interest to anti-virus software developers, the section NEW_VIR is The sections described in the preceding sections make up the one which will require the most analysis. According to the bulk of the information on the CD. However, with over the documentation supplied on the CD, these viruses are 157MB of data in The Collection, a cursory analysis will largely untested, and there is no telling what executing one only scratch the surface. will do. To make things even more confusing, the samples in the directory do not conform to Ludwigs normal naming Conclusion convention. Each file has a text name, and it is relatively easy to run one of the samples accidentally. It is important to draw the readers attention to a number of points. Firstly, those who had hoped that Ludwigs long- Due to the large number of viruses contained on the CD- awaited collection would be the usual computer under- ROM, it has not yet been possible to ascertain exactly how ground collection of crippled executables and renamed text many of the files in this directory are new viruses or already- files are in for a disappointment. Nothing could be further known samples. However, Dr Solomons AVTK (v6.64) from the truth. A vast amount of work has been carried out found 215 infected files in the NEW_VIR directory out of a transferring viruses to standard host files, forming a rela- possible 469. Similarly, Sophos Sweep (v2.62) detected 232 tively well-ordered and (with the exception of the in quick mode, and 273 in full mode. An automated junk NEW_VIR directory) de-junked collection. search found 86 of the missed files not to be viruses. Secondly, the collection is well organised and classified according to the F-Prot naming convention (close to, but not Shareware and Hosts identical to that of CARO), making it quick and easy to find The Collection is not entirely dedicated to virus writing and extract a particular virus. Had The Collection been information - also included are some of the standard tools produced by a member of the more generally accepted anti- for virus detection and removal. The directory ANTI_VIR virus community and given a controlled distribution, it contains a large number of shareware and freeware virus could well have been greeted as a gift from the gods, tying detection utilities. Most notably, reasonably up-to-date up a number of naming issues, and becoming a standard versions of F-Prot (v2.11), McAfee Scan (v113), and collection used within the community. ThunderBYTE Anti-Virus (v6.12) are included. Unfortunately, Ludwigs collection does pose many prob- The HOSTS directory is another useful source of informa- lems for the industry. The greatest of these is that, with large tion for the would-be virus researcher, containing copies of amounts of virus source code available, it is likely that an Ludwigs standard host files, and executable code which upturn in the number of variants of particular viruses will can be used for generating large numbers of files ready for occur - even something as trivial as using a different virus infection. assembler could lead to a new virus.

The Best of the Rest How the industry and the computing community chooses to deal with this CD-ROM is a subject which needs discussion. The rest of the CD covers many other related topics. A large If any industry action is to be taken, it needs to be done collection of computer underground publications is con- soon: at the end of the READ_OR_.DIE file, Ludwig tained in the directory NEWSLETR, covering publications leaves the reader in no doubt as to how he is prepared to ranging from 40Hex (issues 1 to 11) to the Virus-L archives. obtain samples:

******************************************************************************* * * * WANTED: DEAD OR ALIVE ---> Your viruses! * * * * Anti-virus researchers, virus writers, hackers, system administrators, * * we want your viruses and we actively trade and buy new viruses. Please * * contact us for details. PLEASE USE THE TOOLS IN THE \TOOLS DIRECTORY * * FOR SAVING BOOT SECTOR VIRUSES. FAILURE TO DO SO COULD DAMAGE THEM! * * * [Closing remarks deleted. Ed.]

VIRUS ANALYSIS 1

Stealth.B: Invisible Fire So Ludwigs Stealth and Stealth.B are not completely Joe Wells identical. There are, however, many striking similarities Symantec between the two. Both infect 360k and 1.2M floppies by formatting an extra track and placing five sectors of virus code followed by the original boot sector. On 720k and Very visible fires were consuming much of southern 1.44M floppies, however, both use the last cluster, head 1, California. The nearest and largest of these was raging on to store the code and boot sector, and mark these sectors as the hills behind my home, so I was up late monitoring its bad to protect them. progress. To pass the time, I disassembled a virus we had recently received from several sites in the southeast United Additionally, both viruses infect the Master Boot Sector and States; most were from the Miami, Florida area. use track 0, head 0, sectors 2-7 on the hard drive to store the additional sectors. Finally, they both hide infected sectors by The virus, named Stealth.B, infects the DOS boot sector on returning either the original sector (if the floppy boot or floppies and the Master Boot Sector (MBS) of the first MBR sector is being read), or a null buffer (if a storage physical hard disk (drive 80h, usually the C: drive). It is sector is being read). also, as its name implies, a stealth virus. One would assume that the virus in the book uses two Evolution of a Virus methods of infecting floppies to demonstrate the two methodologies. In the wild, however, the tactic serves no The virus was reportedly based on the Stealth boot virus purpose, and is probably just an evolutionary remnant source code contained in The Little Black Book of Computer inherited from its progenitor. Viruses, by Mark Ludwig. Therefore I had tracked down a copy of the book to borrow earlier in the day, so I could Operation compare it to the samples we had received. Stealth.B infects a system in the usual manner: someone A quick difference analysis revealed that, apart from some unintentionally boots from an infected floppy. Like most instruction swaps and slight offset differences, the infected boot viruses, Stealth.B immediately checks the MBS and, if MBSs of the two viruses were effectively the same, except it is not already infected, infects it by direct action. Discuss- for one byte. A comparison of the complete viruses revealed ing this strategy in his notes on Stealth.A, Ludwig states that a difference of less than 5% (172 bytes different in 3584 The infection mechanism for moving from a floppy to a bytes of code and data). hard disk must take advantage of this little mistake on the users part to be truly effective. This means hard drives should be infected at boot time. The Genealogy of Computer Viruses The virus reserves 4K of memory. Thus, on a 640K ma- Trying to ascertain which virus derives from which is chine, running CHKDSK will report 651,264 bytes rather not an exact science. If two viruses are very similar, it than the normal 655,360 bytes, and using DEBUG to dump is of some academic interest to identify how the the word at 0000:0413h, one will find the value 027Ch (as variants relate to each other. Simply because sample x bytes this will appear as 7C 02). Running CHKDSK on an was found before sample y does not mean that x was infected 3.5-inch floppy (720k or 1.44M) will also report written before y. They may share a common ancestor, 3072 bytes in bad clusters. or one may be a simple mutation of the other. The virus stealths the infected boot sector on floppies and Deriving a virus family tree involves a detailed the infected MBS by returning an image of the stored analysis of the instructions which make up the virus original on disk reads. The other six sectors are stealthed on code. Many i8086 instructions have two different the hard drive by returning a buffer filled with nulls. On binary forms which are functionally identical - changes floppies, however, these six sectors are not stealthed. to these instructions, for example, would indicate the use of a different assembler, or that the older sample The method of checking disks for previous infection is also had been disassembled to a source code form, and identical to Ludwigs virus. In the Little Black Book of reassembled. In the case of Stealth.B, even a detailed Computer Viruses, he writes: The Stealth virus uses its own analysis of the code does not make it clear how it is code as an ID. It reads the boot sector and compares the first related to Stealth.A, as the differences in the virus code 30 bytes of code (starting after the boot sector data area) are small. Only the virus author knows for sure, and with the viral boot sector. If they dont match, the disk is with Stealth.B common in the USA, he is not telling. ripe for infection. The routine he then presents is identical to that found in Stealth.B.

Interestingly, there is a minor difference in the 30 bytes the text string AMSESLIFVASRORIMESAEP and the checked between Stealth.B and Ludwigs prototype. Thus, description of that virus is quite similar to the Stealth family. Stealth.A and Stealth.B cannot recognize one another. The Unlike Stealth.B, AMSE prints a message and may be a difference consists of only two swapped instructions, but in hack of a Stealth family member. the event of an infection by both viruses, the system would become unbootable. Electronic Arson The fire I was monitoring was the first in a series which Damage swept through the Los Angeles area. It was set by an Stealth.B does not contain any intentionally damaging code, arsonist. Some of the other fires were called copycat fires but has been reported as wreaking havoc with some memory because they were set by arsonists mimicking the first; fires managers. In my testing I found that, on my 386 test which would otherwise never have been set. In like manner, machine, starting Windows would bounce back to the DOS would Stealth.B and its ilk now be spreading like wildfire if prompt. Interestingly, the same test on my 486 machine the virus upon which it is based had never been written? produces an error message I cannot recall seeing before. Watching the fire after analysing Stealth.B, I could see little On the 486 machine, I have a permanent Windows swap file difference between an arsonist and a virus programmer. which uses 32-bit access. When WIN386.EXE attempts to Both start something which spreads uncontrollably and can load its disk driver, the following message appears: cause extensive damage. The Microsoft Windows 32-bit disk driver In fact, I began wondering if there are books available in the (WDCTRL) cannot be loaded. There is United States written by arsonists, for arsonists. I can even unrecognizable disk software installed on this imagine how one might start with a mock disclaimer: Never computer. set fire to anyones home or business and this is exactly how The address that MS-DOS uses to communicate you should do it. with the hard disk has been changed. Some software, such as disk-caching software, Stealth.B changes this address.

If you aren’t running such software, you Aliases: STB, stelboo, AMSES. should run a virus-detection program to make sure there is no virus on your computer. Type: Master Boot Sectors of fixed disk drives, and boot sectors of diskettes. To continue starting Windows without using the 32-bit disk driver, press any key. Self-recognition on Disk: Compares 30 bytes (0Fh words) of Pressing a key leaves you back at the DOS prompt. This code in the boot sector with code in feature of the virus will have an obvious impact on todays memory. enterprise environment, which depends so much on Win- dows productivity software. Self-recognition in Memory: Damages, as with most viruses, will be measured in wasted None. time, shaken users, and more concrete clean-up costs. I Hex Pattern: The following pattern is that used by the would remind the reader that this last item (cost of clean- Stealth.B virus as its own self-recogni- up), depends on the number of PCs on the site rather than tion string: the number of PCs infected. For example, if two computers at a site with 200 machines are infected, then 200 PCs and FA33 C08E D08E D88E C0BC 007C all their associated floppies must be examined for infection. FBB1 06A1 1304 D3E0 2DE0 078E C083 2E13 0404 This is where time is wasted and costs soar. This differs from that used by the virus Like Wildfire published in the Little Black Book: In the few months since my initial analysis late last year, the FA33 C08E D08E D88E C0BC 007C FBB1 06D3 E0A1 1304 2DE0 078E virus has spread to many other parts of the US apart from C083 2E13 0404 Florida. In the month of April alone, Stealth.B was one of Int 13 for infection and stealth. the ten most reported viruses in the United States according Intercepts: to our statistics here at Symantec, with reports received from Trigger: None. states as far apart as New York and California. Removal: Disinfection possible by replacing A Stealth.C variant has also been reported in the wild in the original Master Boot Sector under clean US. Moreover, the AMSE virus (VB, May 94, p.11) may system conditions. also be closely related, since it and Stealth.B both contain

VIRUS ANALYSIS 2

Argyle: Viruses and the i386 The installation routine first carries out an Are you there? Eugene Kaspersky call to check whether the virus is already loaded and active. This consists of calling Int 21h with the contents of EAX set to FFFFFFFFh. If the virus is already loaded, the virus Every week, a large number of archives claiming to be virus returns 12345678h in the same register. libraries are sent to anti-virus researchers, each containing new viruses, Trojan programs, corrupted programs and data If the call is unanswered, the routine attempts to install itself files. The vast majority of these new viruses are written for into system memory. It checks the list of Memory Control the PC running standard MS-DOS, and are compatible with Blocks, and searches for the last memory block, which it machines ranging from the humble XT to the speedy decreases in length. The virus then copies itself into this Pentium. Occasionally, one encounters a virus which uses newly created space and points the necessary interrupt i286 instructions, such as PUSHA/POPA and PUSH/POP vectors to this area. IMMEDIATE, but by and large, much of the functionality of the more powerful Intel processors is left unused. Into the UMB Towards the end of 1993, viruses written for the i286/i386 One of the unusual features of the virus is its ability to and above began to turn up. The first such virus reported to install itself into the Upper Memory Blocks (UMB). These Virus Bulletin was PMBS, the protected mode boot sector are blocks of memory which have addresses above video virus (VB, October 1993, pp.9-11), which runs the i386 memory. When first executed, the virus attempts to install processor in its protected mode. This was quickly followed itself into free UMBs. If there are no free UMBs, the virus by Pure, which will only install itself into Upper Memory installs itself into conventional memory. The virus uses the Blocks, and Pink Panther, which uses i286-specific code same routine for creating and maintaining its area of both during installation. The next sample to be added to this class conventional and upper memory. of viruses is Argyle, which uses i386 commands in order to hide its presence in memory. anti-virus utilities cannot gain Chinese Roots access to the real addresses of the One of the developments in the anti-virus world is that most virus alarm interrupts such as vendors are attempting to standardise on a single naming convention. This means that it is unacceptable to name new Int 13h, 21h, 25h and 26h viruses at random: the name should reflect some attribute of the virus. If the new virus is a variant of an older parent The second feature of Argyle is its use of an i386 trick in such as Jerusalem or Vienna, it takes its name from that order to hide its own code. After the virus has become sample. Thus, a new Jerusalem variant would be named memory-resident, it checks the processor mode. If this is set Jerusalem.B, and so on. to real mode (that is, DOS was loaded without a memory manager in place, and the DOS session is not under Win- If the virus is completely new, the name is extracted from dows or OS/2, etc.) and the virus is loaded into conventional any internal text messages stored within the virus code. If memory, it calls a special routine in order to make memory there are no messages, the name is drawn from the virus detection more difficult. This stealth routine consists of effects, or from some other feature. copying the entire interrupt vector table into the virus own memory block, and loading a pointer to this copy into the In the case of the Argyle virus, there is a text string at the interrupt descriptor table. end of the virus code, but it is in Chinese, and therefore not wholly suitable for a virus name. As the virus contains no As a result, the processor will use the virus own copy of the other features apart from its stealth tricks, its name was interrupt table when searching for the address of an interrupt taken from the host file in which it was distributed. vector, instead of using the original table stored at 0000:0000-03FFh. Once this operation is complete, any Installation and Hiding in Memory changes made to the usual interrupt vectors have no effect whatsoever: the entire table could be filled with zeros, and The virus is a memory-resident parasitic EXE file infector the machine would still function! which uses a polymorphic engine in order to make it more difficult to detect. When an infected file is executed, the This trick means that standard debugging and anti-virus virus decrypts itself by XORing double words of the virus utilities will not work correctly, as the trace vectors Int 01h code with an encryption key, before passing control to its and Int 03h can no longer be set. Additionally, anti-virus installation routine. utilities cannot gain access to the virus alarm interrupts

such as Int 13h, 21h, 25h and 26h, as most utilities of this to other programs or to memory managers. I see no reason type directly access the standard interrupt table, or use the why the virus does this, although it is possible that the Get Interrupt Vector (Int 21h, subfunction 25h) and Set author included this feature in order to ensure compatibility Interrupt Vector (Int 21h, subfunction 26h) calls. with a tool he was using. The final part of the installation routine traces and hooks the Trigger Routine BIOS disk handler, Int 13h, Int 21h, and Int 09h, the keyboard handler. Once this process is completed, control is Argyle contains two different trigger routines. One inter- returned to the host program. cepts Int 13h read and write sector requests. During every 256th call, the virus sets a randomly-selected bit of data to Fishing for Interrupts its complementary value. This will cause gradual corruption of data stored on disk. When memory-resident, Argyle intercepts several of the Int 21h subfunctions. These are 3Dh (Open Handle), 4B00h The second trigger routine monitors the Int 09h handler. If (Load and Execute), 4B01h (Load), 56h (Rename File), 3Eh the user presses Ctrl-Alt-Del in order to reboot his machine, (Close Handle), 4Eh (Find First), 4Fh (Find Next), 57h the virus checks an internal counter and the system timer. (Get/Set File Date and Time), 25h (Get Interrupt) and 35h Depending on their values, a message is displayed in (Set Interrupt). Finally, it checks for an Int 21h call with Chinese. The only part of this text which is in standard EAX=FFFFFFFFh, the virus Are you there? call. ASCII characters is the date, Dec 1993.

The virus infects executable files when it intercepts a Conclusions Rename, Execute or Load call. In order to avoid multiply infecting files, it checks the file date and time stamp, and Although Argyle does not pose too many problems for anti- only infects files with a file date below 2080. This method virus vendors, the general trend of i386 viruses is cause for of infected file location has become almost standard, and some concern. By utilising the extra functionality of the was first used by the 4K virus. more powerful Intel processors, it is possible to increase vastly the degree of stealth which can be applied. Stealth Routines Virus writers have yet to gain much experience in writing In order to check that the file is an EXE file, Argyle exam- i386-specific code, which opens up a plethora of ways in ines the first two bytes of its potential victim. If these are which to subvert the PC. What will be the next develop- MZ, indicating that the file is in the EXE file format, the ment? We can only wait and see. infection routine is called. This alters the EXE header, calls the polymorphic code generation routine, and appends the Argyle encrypted virus code at the end of the file. Finally, 100 years is added onto the file date. During the infection process, Aliases: None known. Argyle hooks Int 1Bh (Ctrl-Break) and Int 24h (the DOS Memory-resident, parasitic file infector, Critical Error handler). Type: stealth and polymorphic. Files are also infected during the Close function. This is Infection: EXE files only. carried out in the same way, except for the fact that the virus uses information stored in the undocumented System File Self-recognition in File: Tables in order to complete the process. It the year value in file date stamp is above 2080 (plus 10 years), the virus When a call to the Open File function is intercepted, the does not hit the file. virus calls its stealth routine. If the file is infected, the virus loads it into memory, traces the execution path, and decrypts Self-recognition in Memory: the attached virus body, including the original EXE header Are you there? call consists of calling of the infected file. The virus then restores this copy of the Int 21h, with EAX=FFFFFFFFh. EXE header and truncates the file to its original length. 12345678h is returned in EAX. Thus, the file is disinfected before being passed back to the calling function. Hex Pattern: No search pattern is possible in files. Int 21h for infection and stealth, Int 13h The virus uses the Find First/Find Next and Get/Set File Intercepts: for damage, Int 09h for trigger routine. Date/Time stamp functions for a stealth routine which substitutes the length and file date of infected files with that Trigger: Corrupts data on disks, displays of the original host file. message, and reboots computer.

The interception of the Get/Set Interrupt Vector function is Removal: Under clean system conditions, identify used as an addition to the memory stealth algorithm. The and replace infected files. virus executes these calls in order to prevent passing control

COMPARATIVE REVIEW

The Review, Reviewed ahead of the game, and pouring in the necessary resources to Dr Keith Jackson keep their scanner speed acceptable high while still identify- ing increasingly polymorphic virus code. One of the regular items published in Virus Bulletin is the anti-virus product review, eagerly anticipated by developer The Standard Test-Sets and user alike. Do these articles serve a useful purpose, or If I had my way, the standard test-sets would either be are they simply a waste of time? It is virtually impossible to varied so frequently that nobody would be certain as to what answer such questions for reviews of individual products: was in them or, most likely, would be scrapped altogether. the answer depends far too much on the particular product VB gets many calls from developers asking for copies of being reviewed. Comparative reviews, however, are a their test-set [there was even one request for regular different matter altogether. updates of all test-sets used! Ed]. The fundamental issue is who chooses the test-set contents. The individual with this When reviewing anti-virus products, it is easy to test how responsibility can bias test results - this may not even be a well a scanning program checks a set of virus-infected files conscious decision. and from there write a results-based review: many reviews written in computer magazines seem to be produced in this VB actually goes to great lengths to be fair in its reviewing way. Writing a fair, objective and (most importantly) useful process, but, as must be expected, some people have easier review is more difficult. If conducted well, a comparative access to test-sets than others. Were I a complete unknown, review of several scanners may be the fairest way of and asked VB for a copy of the standard test-set, in order to gauging the performance level of individual scanners. develop an anti-virus program, would they oblige? The answer must be no: a malicious person could request a copy Timing Comparisons of all currently known 3000-plus viruses, and propagate them to far-flung corners of the globe. Conversely, if the When I review a scanner, I measure the time taken to scan person involved were known in the industry, the response to the hard disk on my test computer, and provide similar such a request would almost certainly be yes. results for two other well-known scanners. This is not done to publicise the other scanners, but as recognition of the fact that an absolute measurement of the time taken to carry out any manufacturer who performs a scan does not mean a great deal on its own. particularly badly in polymorphic Scan time is affected by the processor, processor clock speed, the type of hard disk, the partition structure on the tests is almost certainly having hard disk, how files are fragmented on the hard disk, the difficulty devoting the required operating system, what software is executing concurrently, etc. The list is so long, and so intertwined, that what is manpower to the problem quickest on one computer may well not be so on another. Ultimately, use of a standard test-set probably leads to the So, is the time taken to scan a disk of any relevance? Alone, development of anti-virus software which scores highly it means little: what is important is whether the user per- against that particular test-set, and which may well react ceives it to be excessively long. As is the way with such differently when used in the real world. The existence of things, it is a subjective criterion. However, comparative standard test-sets seems to reinforce a hegemony among the measurements of scanning speed do allow users to select leading product developers, which at best is unhelpful, and products with a reasonable scan time, and (if speed is at worst will lead to sterile numbers-game competition important) to reject the slowcoaches. amongst a few companies, with newcomers excluded. Users deserve better than this. Scan Time for Virus Test-Sets Detection Rate In the Wild The time taken to scan a set of virus-infected files should not be a prime factor. Overall scan time may be important, The In the Wild test-set is a continuously updated set of but that the scanner slows down and cogitates on a file viruses with examples of viruses known to have been found suspected to be virus-infected seems of little consequence, on a users site. Such a test-set is a necessary precaution: unless the time delay is exorbitant, and the file is in fact there are individuals who, on writing a virus, stake their clean. Given that these measurements are contained in the claim to fame by sending a copy to an anti-virus company. comparative scanner review, it merely means that the anti- They do not often bother to release a copy of the virus to let virus developers who score well in this test are keeping well it wend its merry way around the world.

Such a virus is rarely seen outside laboratories of anti-virus released: it should not be beyond the wit of man to find a developers, who unfortunately must take receipt of every way of pooling this resource across several developers when virus seriously: there is no immediate way of telling whether comparative reviews are being considered. Such action a virus is in the wild. A virus may be the most dangerous would tend to alleviate the problem of who chooses the ever written, but is not harmful (apart from inducing panic) content of the false positive test-set. As false alarms waste unless released into the computer community. more money than viruses, the developers of the best scanners should be keen to contribute to such a scheme. Only viruses which have been detected with certainty on a few user sites are included in the In the Wild test-set. It is a Which Product is the Right One? telling comment on the psyche (and software capability) of virus writers that this test-set is but a small subset of the There are serious considerations when it comes to the choice number of viruses actually known to exist. of an anti-virus product. Some of the most important are:

The detection rate on the In the Wild test-set is probably If a scanner performs badly against the In the Wild the most important measurement in the entire comparative test-set, consider it no further - its developer is obviously review. I contend that any scanner which cannot detect shirking his responsibilities. 100% of such viruses (excepting viruses which have just If a scanner is very slow, users will not operate it. There come to light) should be viewed as less than adequate. is thus little point in purchasing it. Speed measurements Companies which develop anti-virus scanners regularly are subjective, and can only really be assessed by an exchange virus sets, and know well which viruses occur in individual user when measured on his own computer the wild. If a company cannot, or will not, update its scanner system(s). Try before you buy. to deal with a known problem, this may be taken as indica- If a scanner continually throws up false positives despite tive of its attitude as a whole: avoid its products like the being used correctly, ditch it. plague. Having said that, it is noticeable that most scanner developers do indeed try hard to be very close to 100% Beyond these rules (which admittedly do not form a detection for viruses known to be in the wild. sufficient basis for a purchasing decision), the choice is more difficult. Many scanners show signs of falling behind in the game of catch played between virus writers and anti- Polymorphic Detection virus companies. Such effects are difficult to measure Not all viruses can be detected by scanning for a fixed accurately, but any manufacturer who performs particularly sequence of bytes. Those which encrypt themselves with a badly in polymorphic tests is almost certainly having unique key each time they replicate and which can change difficulty devoting the required manpower to the problem. their structure are known as polymorphic. They require a Deducing how to detect a polymorphic virus accurately is scanner to use techniques beyond pattern matching. not always the greatest feat of Sherlock Holmes-like detection: it is, however, time-consuming, fiddly, and The VB comparative review shows how well scanners can manpower intensive. detect extremely polymorphic viruses. It is in reality a measure of the amount of research a company puts into Conclusions keeping its scanner up to date. Only developers who invest the requisite amount of effort to keep up to date with such There are few positive gains to be had from comparative problems will survive in the long term. scanner reviews, only negative ones. For example, it would be ridiculous to choose one of the best (i.e. most accurate) Improving the Test-Sets scanners on the grounds that it detected 1% more viruses than its closest competitors. However, deciding not to The shortfalls associated with using standard test-sets were purchase one of the less efficient scanners because it was discussed earlier in this article: what improvements could be 20-30% worse than the best scanners currently available made to a comparison of various scanners? would be a reasonable decision. A high detection rate is a prerequisite for a scanner. Some products are prone to the erroneous detection of the presence of a virus in a file, an error known as a false You should check that the scanner you choose achieves an positive. It has been requested that VB measures the acceptable detection rate when running in the mode which incidence of such false positives in its product reviews. gives acceptable speed - not just in a fearfully slow high Unfortunately, factual information about false positives can security mode. only be obtained if a product is tested against all known software packages, which is somewhat difficult to achieve. The protocol used for these tests is published in detail, and any software developer can have his product included by There is no unique solution; however, most reputable anti- contacting the editor of VB. The magazine always attempts virus developers maintain at least one system containing to provide objective evidence about anti-virus scanners, and, samples of every software package they can obtain. Scan- within the constraints discussed above, the results can be ners are tested against this store of files before being positively illuminating.

COMPARATIVE REVIEW

VB Scanner Review: July ’94 important consideration, it is of paramount importance that a Mark Hamilton product correctly detects as many different viruses as possible. Anti-virus software manufacturers were asked to supply the version of their scanner which was shipping at In the six months since VBs last comparative scanner the beginning of May. No special releases were accepted, review, there have been more than the usual amount of unless otherwise stated. changes in the anti-virus world, from withdrawals of products, to births of new ones, and takeover bids. Total Control has withdrawn its VIS, although the company Avast! Version 6.20 has told VB it will continue to support existing users in the short term. Further afield, Symantec has acquired Fifth In the Wild: 97.2% Generation and signed an agreement to buy Central Point. Boot Sector: 0.0% All this makes the future of Untouchable and Search and Standard: 99.6% Destroy (both from Fifth Generation) rather uncertain. The Polymorphic: 90.0% fate of CPAV is also as yet undecided.

Symantecs Norton Anti-Virus is noticeable by its absence: The failure of Avast! (Alwil Software, Prague) to detect boot despite their initial willingness to participate, and numerous sector viruses is somewhat puzzling, given that its other telephone calls and faxes to both its UK and US offices, results were most encouraging, particularly in the Polymor- nothing was forthcoming. As testing was completed, a phic test-set. It is, however, one of the slower packages package did arrive from Symantec - unfortunately, it was the tested, with a scanning speed of only 109KBytes per second. NetWare version, and could not be included.

Testing Protocol ASP Integrity Toolkit Version 3.7.9

Products were pitted against four test-sets: In the Wild, In the Wild: 67.9% with 109 samples of file infectors known to be at large; a Boot Sector: 44.4% Boot Sector set containing nine commonly found viruses; Standard: 55.1% the Standard test-set, consisting of 227 file infectors; and a Polymorphic: 0.0% set of 750 polymorphic viruses. For further details, see the table at the end of this article. This package, originally written by Dr Fred Cohen, is now Disk scanning speed on both an uninfected hard drive and a distributed and maintained by Sikkerheds Radgiverne ApS in clean floppy drive was tested on all products. For the first Copenhagen. Results were obtained from running an early time, a speed test on an infected hard drive was also in- version of Fridrik Skulasons F-Prot (March 1992) which is cluded, giving users some idea of how long a scan might included on the installation disk, but not installed. Unsur- take when checking a machine with a number of infected prisingly, this product had the worst detection results, files on it. The Polymorphic test-set was chosen for this missing boot sector viruses Parity Boot, BFD-451, Monkey, speed degradation test, since that type of virus represents the Jack the Ripper and Quox. worst case for most anti-virus products. Tests were performed on a 16MHz Dell 386SX with 4MB memory, which is a typical office machine. AVScan Version 1.51a Product speeds are given in kilobytes per second. This represents the times taken to scan an uninfected hard drive In the Wild: 100.0% containing 165 executable files spread across 14 directories Boot Sector: 100.0% and occupying 6,917,984 bytes, an infected hard drive Standard: 100.0% containing 750 executable files spread across 8 directories Polymorphic: 82.1% and occupying 8,510,417 bytes, and a clean high-density floppy disk containing 51 executable files occupying AVScan from H+BEDV is one of the best packages available 1,400,626 bytes in a single directory. in terms of detection, and as an added plus, it is freeware! It gets perfect scores in all the principal tests but, as do so Conclusions about products were made according to many others, it fails on a number of the polymorphic detection rate: the higher the overall score on detection, the viruses. It is a great pity that the commercial version of the better the overall placing. Although scanning speed is an product, AntiVir IV, is only available in German.

Central Point Anti-Virus V2.0 Microsoft Anti-Virus (with MS-DOS 6.2)

In the Wild: 75.2% In the Wild: 68.8% Boot Sector: 44.4% Boot Sector: 44.4% Standard: 92.5% Standard: 90.7% Polymorphic: Failed to complete Polymorphic: Failed to complete

Central Point submitted three packages for review: Central This product was written by Central Point, and although Point Anti-Virus for DOS v2.0, Central Point Anti-Virus for released after Central Points version 2.0, it has a worse Windows v2.0 and Central Point Anti-Virus for DOS v2.1 detection record in most categories. It too misses Parity (see p.18). The scores for the two v2.0 products are identical Boot, Monkey, Jack the Ripper, Quox and BFD-451, and and uninspiring, especially against the boot sector viruses. suffers the same problems regarding polymorphic viruses as its big brother. Poor.

The Doctor Version 94.04 IBM Anti-Virus for DOS Version 1.05 In the Wild: 96.3% Boot Sector: 100.0% In the Wild: 95.4% Standard: 97.3% Boot Sector: 100.0% Polymorphic: 80.0% Standard: 98.7% Polymorphic: 80.0% This product is developed by Roger Thompson, of Thompson Network Software (formerly of Leprechaun Depending on where and when you buy IBMs PC-DOS 6.3, Software). The package is being updated and sold in the this may be the version of its anti-virus product included USA, and is one of the more secure, if slower, available. (PC-DOS sold in Europe may have a slightly earlier version of the scanner). The review version was supplied by an IBM value-added reseller in the US. As an add-in extra to vanilla F-Prot Professional Version 2.12a DOS, this product represents terrific value for money, and sets the standard for Microsoft.

In the Wild: 99.1% Boot Sector: 100.0% Standard: 100.0% PC Vaccine Pro (PCVP) version 2.0 Polymorphic: 81.7% In the Wild: 96.3% A very high detection rate puts this package, from Frisk Boot Sector: 88.9% Software International in the top 10. Surprisingly, after Standard: 95.1% detecting 100% of polymorphic infections in the last Polymorphic: 79.1% comparative review, tests this month showed a significantly lower detection rate, which has marred the products This product, from Computer Security Engineers, missed previous excellent results. However, it is still one of the top four of the new viruses found in the wild, in addition to the packages available. Jack the Ripper boot sector virus. It is, however, the fifth fastest at scanning a clean hard drive.

Iris Anti-Virus Version 4.20.25 Scan 9.25 Version 114 In the Wild: 89.0% Boot Sector: 66.7% In the Wild: 97.2% Standard: 97.8% Boot Sector: 88.9% Polymorphic: 80.3% Standard: 98.7% Polymorphic: 89.6% A set of mediocre test results from Iris. Like several other products, the detection of boot sector viruses lets Iris Anti- This is the version of McAfee Associates Scan which was Virus down, missing BFD-451, Jack the Ripper and Quox. shipping at the time of testing, although plans are afoot for All the boot sector viruses used in the test-set are in the McAfee Scan version 2.0, which is already in Beta release wild. This deficiency needs to be addressed immediately. (see overleaf). Similar scores to last Januarys test.

In the Wild (109) Boot Sector (9) Standard (227) Polymorphic (750) Overall (100) Avast! 106 0 226 675 72.0 ASP 74 4 125 0 42.0 AVScan 109 9 227 616 96.0 CPAV/DOS 2.0 82 4 210 Failed to complete 53.0 CPAV/DOS 2.1 93 5 211 Failed to complete 58.5 CPAV/Win 2.0 82 4 210 Failed to complete 53.0 The Doctor 105 9 221 600 93.4 F-Prot Professional 108 9 227 613 94.8 IBM Anti-Virus 104 9 224 600 93.5 Iris Anti-Virus 97 6 222 602 83.5 Microsoft Anti-Virus 75 4 206 Failed to complete 51.0 PCVP 105 8 216 593 90.0 Scan v114 106 8 224 672 93.6 Scan v2.0 Beta 100 8 220 279 78.7 Search and Destroy 99 7 219 500 83.0 SmartScan 75 7 215 0 60.3 Sweep 109 9 227 674 97.5 S&S AVTK 108 9 224 682 97.2 ThunderBYTE 108 9 227 725 99.0 VET 107 9 224 672 96.6 Virex-PC 100 9 218 598 92.0 Virus Buster 85 8 210 607 85.1 Virus Buster Lite 84 8 209 607 85.0 Virus Control 107 9 221 581 93.3 ViruSafe 90 9 214 550 88.0 Vi-Spy 109 9 227 675 97.5

The final scores! Overall scores out of 100 have been calculated as follows: viruses known to be in the wild (the results from the In the Wild and Boot Sector tests) account for 50% of the final score. The remaining 50% is made up by combining the scores from the Standard and Polymorphic test-sets. In this comparative, nobody escaped without missing at least 26 viruses.

Scan Version 2 (Beta) SmartScan Version 3.05

In the Wild: 91.7% In the Wild: 68.8% Boot Sector: 88.9% Boot Sector: 77.8% Standard: 96.9% Standard: 94.7% Polymorphic: 37.2% Polymorphic: 0.0%

Version 2 of McAfees Scan is claimed to scan more quickly Visionsofts contribution missed many viruses: this fact, than its predecessor. This is true on clean drives but, as coupled with its slow scanning speeds, contribute to making results show (see table p.17), it is very slow on an infected it one of the less efficient anti-virus software packages on system. The boot sector virus Quox foxed both versions, and the market. The boot sector viruses which it failed to detect polymorphic detection is much lower than in version 1. were BFD-451 and Quox. Possibly falling behind?

Floppy Read (Kb/sec) Clean HD Read (Kb/sec) Infected HD Read Degradation

Avast! 15.2 109.0 27.2 4.0 x slower

ASP 6.5 58.2 58.1 n/a

AVScan 17.6 139.6 32.1 4.3 x slower

CPAV/DOS 2.0 14.4 99.4 Failed to complete n/a

CPAV/DOS 2.1 15.0 99.4 Failed to complete n/a

CPAV/Win 2.0 11.8 87.7 Failed to complete n/a

The Doctor 13.8 51.8 17.0 3.0 x slower

F-Prot Professional 20.7 182.6 21.4 8.5 x slower

IBM Anti-Virus 13.4 91.3 40.7 2.2 x slower

Iris Anti-Virus 12.3 24.0 49.2 2.0 x faster

Microsoft Anti-Virus 27.9 114.5 Failed to complete n/a

PCVP 20.1 257.9 96.6 2.6 x slower

Scan v114 13.1 37.1 13.5 2.7 x slower

Scan v2.0 Beta 21.3 57.6 3.5 16.5 x slower

Search and Destroy 21.5 339.5 40.8 8.3 x slower

SmartScan 12.5 112.8 38.1 3.0 x slower

Sweep 7.6 39.7 26.3 1.5 x slower

S&S AVTK 27.9 196.7 2.4 82.8 x slower

ThunderBYTE 59.5 750.6 9.7 77.4 x slower

VET 16.4 119.6 86.5 1.4 x slower

Virex-PC 7.0 35.9 13.4 2.8 x slower

Virus Buster 25.8 153.5 3.3 46.5 x slower

Virus Buster Lite 40.2 293.7 3.3 89.0 x slower

Virus Control 23.7 148.5 42.0 3.5 x slower

ViruSafe 27.4 270.2 129.9 2.1 x slower

Vi-Spy 23.6 150.1 26.0 5.4 x slower

Once again, the faster products are not necessarily the least accurate. ThunderBYTE, the most accurate product on the test-sets used, is also the most fleet-footed, scanning at an impressive 750KBytes per second on a clean hard drive. For the first time, scan times on an infected hard drive have been included - these give some measure of the time taken on a machine containing several infected files.

Virus Buster Version 4.03.05 VET Version 7.63

In the Wild: 78.0% In the Wild: 98.1% Boot Sector: 88.9% Boot Sector: 100.0% Standard: 92.5% Standard: 98.7% Polymorphic: 80.9% Polymorphic: 89.6%

A disappointing result for Leprechaun Software. The Cybecs VET suffers less from speed degradation when company also submitted a package called Virus Buster Lite scanning infected drives than most other packages, only (see tables). Scores for this were identical to the full version, slowing by a factor of 1.4. This is the top package from the with the exception of the In the Wild test-set, where one southern hemisphere, and has improved considerably since extra virus was missed. the last review.

Search and Destroy Version 28.02 Central Point AV/DOS Version 2.1

In the Wild: 90.8% In the Wild: 85.3% Boot Sector: 77.8% Boot Sector: 55.6% Standard: 96.5% Standard: 93.0% Polymorphic: 66.7% Polymorphic: 0.0%

Search and Destroy was licensed last year by Novell from This is the latest version of CPAV, phased in while this Fifth Generation, since when the company has been review was underway. It failed to detect Monkey, BFD-451, acquired by Symantec: whether the product continues to be Jack the Ripper and Quox boot sector viruses. This package developed or supported has yet to be seen. When this has always suffered from bugs - the inability to scan scanner runs, it displays an internal version date of 22 July, polymorphic viruses without crashing the PC, and its 1993, going some way to account for its indifferent detec- propensity to leave virus signatures in memory. tion capabilities. The results in this current review show that nothing has changed: all three versions submitted for testing crashed when run against the Polymorphic test-set. These points Sweep Version 2.60 have been mentioned time and again: it is totally unacceptable that the problems still exist. Whether this will be fixed In the Wild: 100.0% or not remains to be seen - at this time, the entire future of Boot Sector: 100.0% CPAV seems uncertain. Standard: 100.0% Polymorphic: 89.9% S&S AVTK for DOS Version 6.54 Sweep from Sophos is, as always, an efficient and depend- able product, despite the slow scanning speeds in its full In the Wild: 99.1% sweep mode. Boot Sector: 100.0% Standard: 98.7% Polymorphic: 90.9% Virex-PC Version 2.93 Another set of good results from S&S International, placing In the Wild: 91.7% the product well up in the overall rankings. Due to changes Boot Sector: 100.0% to the way in which the AVTK indentifies polymorphic Standard: 96.0% viruses, it slows down greatly on an infected machine. Polymorphic: 79.7% However, this is easily made up for by its ability to carry out precise virus identification on such files. Although it is not one of the faster packages, this product from Datawatch ended up in the top half of the table. Better in the wild detection is needed. ThunderBYTE Anti-Virus Version 6.20

In the Wild: 99.1% ViruSafe Version 6.1 Boot Sector: 100.0% Standard: 100.0% Polymorphic: 96.7% In the Wild: 82.6% Boot Sector: 100.0% ThunderBYTE from ESaSS was rated the best package in the Standard: 94.3% last comparative review (VB, January 1994, pp.14-19). Polymorphic: 73.3% Overall, it is still the highest-scoring package, and also has the highest polymorphic detection rate. This package from EliaShim will not allow scanning of more than one floppy: the program fails to note that the disk Its author, Frans Veldman, was very keen to have this has been changed and attempts to locate files from the version reviewed, which features a new detection engine previously scanned floppy. The program must be exited specifically geared to polymorphic viruses. The product is between scans and, as it appears to leave virus signatures in capable of examining the encrypted code within a polymor- memory, the PC rebooted or memory scans disabled. phic virus, making more precise identification possible. Still Checking an infected boot sector results in the reporting of a blindingly fast on a clean machine, TBAV slows down by a corrupted text string instead of a virus name. factor of over 75 on an infected one.

Virus Control Version 3.42 The Test-Sets

In the Wild: 98.2% 1. In the Wild Boot Sector: 100.0% 4K (Frodo.Frodo.A), Barrotes.1310.A, BFD_451, Butterfly, Standard: 97.4% Captain_Trips, Cascade.1701, Cascade.1704, CMOS1- Polymorphic: 77.5% T1, CMOS1-T2, Coffeeshop, Dark_Avenger.1800A, Dark_Avenger.2100.DI.A, Dark_Avenger.Father, Datalock.920.A, Dir-II.A, DOSHunter, Eddie-2.A, This product, from Norman Data Defense Systems, was first Fax_Free.Topo, Fichv.2.1, Flip.2153.E, reviewed in Virus Bulletin earlier this year (May 1994 Green_Caterpillar.1575.A, Halloechen.A, Helloween.1376, pp.17-19). The detection rate of polymorphic viruses has Hidenowt, HLLC.Even_Beeper.A, already improved considerably: where will it go from here? Jerusalem.1808.Standard, Jerusalem.Anticad, Scanning speeds were quite acceptable; indeed, faster than Jerusalem.PcVrsDs, Jerusalem.Zerotime.Australian.A, some of the other high scorers. Keypress.1232.A, Liberty.2857.D, Maltese_Amoeba, Necros, No_Frills.843, No-Frills.Dudley, Nomenklatura, Nothing, Nov_17th.855.A, Npox.963.A, Old_Yankee.1, Old_Yankee.2, Pitch, Piter.A, Power_Pump.1, Revenge, Vi-Spy Version 12.0 Screaming_Fist.II.696, Satanbug, SBC, Sibel_Sheep, Spanish_Telecom, Spanz, Starship, SVC.3103.A, In the Wild: 100.0% Syslock.Macho, Tequila, Todor, Tremor (5), Vacsina.Penza.700, Vacsina.TP.5.A, Vienna.627.A, Boot Sector: 100.0% Vienna.648.A, Vienna.W-13.534.A, Vienna.W-13.507.B, Standard: 100.0% Virdem.1336.English, Warrior, Whale, XPEH.4928. Polymorphic: 90.0% 2. Boot Sector RG Softwares Vi-Spy emerges as one of the top scoring Brain, Form, Italian, Michelangelo, Monkey, anti-virus packages tested, equal second with Sweep, and New_Zealand_2, Quox, Spanish_Telecom, and V-Sign. outdone only by ThunderBYTE. Speeds are comparable to the last review; in the top half, but not the fastest. Reliable. 3. Standard 1049, 1260, 1575, 1600, 2100 (2), 2144 (2), 405, 417, Final Comments 492, 4K (2), 5120, 516, 600, 696, 707, 777, 800, 8888, 8_Tunes, 905, 948, AIDS, AIDS II, Alabama, Ambulance, Anti-virus products are constantly changing; new ones Amoeba (2), Amstrad (2), Anthrax (2), AntiCAD (2), appear as old ones fade away. Only the best can hope to stay AntiPascal (5), Armagedon, Attention, Bebe, Blood, Burger the course. Unsurprisingly, results varied wildly, from the (3), Butterfly, Captain_Trips (2), Cascade (2), Casper, sublime to the ridiculous. Every product should be able to Coffeeshop, Dark_Avenger, Darth_Vader (3), Datalock(2), Datacrime, Datacrime_II (2), December_24th, Destructor, detect all viruses in the In the Wild test-set: in fact, only Diamond (2), Dir, Diskjeb, DOSHunter, Dot_Killer, Durban, three (Vi-Spy, Sweep, and AVScan) managed this. Eddie, Eddie_2, Fellowship, Fish_1100, Fish_6 (2), Flash, It is also important that products are capable of detecting Flip (2), Fu Manchu (2), Halley, Hallochen, Helloween (2), Hide_Nowt, Hymn (2), Icelandic (3), Internal, Invisible_Man polymorphics other than Mutation Engine-generated viruses. (2), Itavir, Jerusalem (2), Jocker, Jo_Jo, July_13th, Kami- It is incredible that six products detected no polymorphic kaze, Kemerove, Kennedy, Keypress (2), Lehigh, Liberty viruses at all (all three from Central Point, and the product (5), LoveChild, Lozinsky, Macho (2), Maltese_Amoeba, from Microsoft, crashed every time the test was attempted), MIX1 (2), MLTI, Monxla, Murphy (2), Necropolis, Nina, and that a further six detected less than 80% of this test-set. Nomenklatura (2), NukeHard, Number_of_the_Beast (5), Even though the Polymorphic test-set has been overhauled Oropax, Parity, PcVrsDs (2), Perfume, Pitch, Piter, and updated for this review, the only very new virus Polish_217, Power_Pump, Pretoria, Prudents, Rat, included is Pathogen, and this accounted for less than 7% of Satan_Bug (2), Shake, Sibel_Sheep (2), Slow, Spanish_Telecom (2), Spanz, Starship (2), Subliminal, the samples. Sunday (2), Suomi, Suriv_1.01, Suriv_2.01, SVC (2), Certain manufacturers will need to make radical changes to Sverdlov (2), Svir, Sylvia, Syslock, Taiwan (2), Tequila, Terror, Tiny (12), Todor, Traceback (2), Tremor, TUQ, their products if they wish to remain contenders: a signifi- Turbo_488, Typo, V2P6, Vacsina (8), Vcomm (2), VFSI, cant number appear to have become lazy, not only on Victor, Vienna (8), Violator, Virdem, Virus-101 (2), Virus-90, scanning speed but, most importantly, on detection rates. Voronezh (2), VP, V-1, W13 (2), Willow, WinVirus_1.4, Certain other developers have improved considerably since Whale, Yankee (7), Zero_Bug. the last review, giving more competition to the vendors, and (as a direct consequence) more choice to the user. Anti-virus 4. Polymorphic software is often the main line of defence against virus The test-set consists of 750 genuine infections of: attacks: if a product cannot detect reliably and consistently, Cruncher (25), Coffee_Shop (500), Pathogen (50), it cannot be said to be protecting the user. No excuses are Satan_Bug (100), Uruguay_4 (75). good enough.

PRODUCT REVIEW

Norton on NetWare Once the install program was running, it performed fault- Jonathan Burchell lessly, automatically copying the NLM to the SYS volume, making changes to AUTOEXEC.NCF, and installing the Windows workstation component. A custom install option Norton Anti-Virus for NetWare is a virus scanner and allows complete control of the process. program inoculator. It is designed as a complete stand-alone product, capable of protecting Novell file servers. The Before performing the install, the installation routine product does not rely on the presence of companion scan- scanned all local drives for viruses. Apart from its dubious ners and TSR programs on workstations to achieve file worth (scanning from within Windows almost entirely rules server protection. out a clean boot), it was a nice touch. Only the install software has the capability of local scanning; once installed, The software is capable of scanning both DOS and Macin- the feature is lost. tosh files. However, only an NLM version is supplied, so NetWare 2.0 owners are left out in the cold. It is worth Some idea of the slickness of the installation routine is noting that Novell has officially announced a retirement day reflected in the fact that when it presented the dialogue box for NetWare 2.0: perhaps it is finally time to scrap any 286 for my registration details, it had already filled in my name file servers in your organisation. Additionally, NAV for and company from the information stored in Windows! NetWare requires at least one machine which has Windows installed on it for installation and configuration; no DOS Administration utilities are provided. Once installation is complete, the software is ready to be The software claims to be compatible with all NetWare configured and used. The NLM has an informative console versions 3.1x and 4.0. I have no reason to doubt the veracity screen showing status, and keyboard entry allows the NLM of these claims, but the manual makes no mention of support to be enabled or disabled, scanning to be started or stopped, for special 4.0 features such as file compression and backup and the NLM to be unloaded. The unload feature is not media migration. password-protected, so anyone with console access could do this. Control via the console is meant to provide only the Documentation most rudimentary of options. The real way to control and configure the software is from a workstation via the admin- The documentation is a single 60-page manual in the istrators software. familiar Symantec/Norton colours and style. It covers installation requirements and gives an extremely good guide The Windows interface provided is really very good. I found to using the software, clearly presenting each feature and it totally intuitive to use, and in no way limited by being control. Information about what viruses are, and methods of constrained to a GUI. It should serve as a model (or is that preparation for and dealing with an infection is also in- an icon?) of how to do it for other Windows products. cluded - a useful addition.

Installation The software arrives on just two 3.5-inch high-density disks (5.25-inch disks are available by contacting Symantec directly). Installation is started by typing A:INSTALL at the DOS prompt.

This automatically starts Windows on the hard disk, and runs from within Windows - a neat trick, which unfortunately failed on my system as I have several copies of Windows. The install program found the wrong one.

The documented method did, however, work if I started the install program from the home directory of the copy of Windows I wanted to use, or if I started Windows before running the install program. The manual should clarify this, as the organisation of Windows on my disk is not that different from a network install - I have one real copy of NAV has one of the nicest user interfaces around - however, its Windows and several local users versions. virus detection results are somewhat disappointing.

Concepts and Features workstation lockout. The mechanism which allows the quarantine directory to be chosen is wonderful, presenting a Administering the server (or servers) requires a valid graphical browser which starts first with servers, then allows supervisor privileged NetWare login. All servers in a volumes and specific directories to be selected. The direc- domain can be administered at once: this is convenient for tory specified must exist. No option to create one is given. dealing with large networks with many servers, as configuration details will automatically (optionally) propagate from As well as taking action on detection, NAV will send out server to server within a domain, and infection and activity alerts, which are subdivided into almost any combination of logs will be stored on the designated master server. NetWare broadcast messages, MHS mail, and pager activa- tion. The NetWare messages may be sent to any combina- The main window presents summary status information for tion of all users, file user, file owner, file updater, system all the protected servers, together with a button-bar which console, supervisor, or to a specified list of users. allows access to configuration options, the virus encyclopaedia, the NetWare console and the activity logs. A more It is not possible to modify messages sent: this is a serious traditional menu-bar is also available. omission, as few corporates want to risk inducing panic by Real-time scanning allows selection between scanning, DOS allowing the vendors virus detection message to propagate. files, Macintosh files, and all files, or just programs, One can, however, modify the pager and MHS messages. incoming and/or outgoing files and the server DOS and The pager option requires additional software and a modem. NLM memory space. Logging and Reporting in the all files mode, detection NAV provides a feature-rich logging and reporting system. Log files of configuration details, activity, and infections are of the polymorphic test-set was produced. It is possible to configure the information which goes into the log file precisely, and a useful option allows appalling, finding less than 1% of specification in kilobytes of the maximum size log files may all samples reach. Once they attempt to grow above this size, the oldest information will automatically be discarded. The immediate scan options are almost identical to the real- time options, with the additional ability to set the maximum In addition to good logging, the software provides excellent amount of server CPU time which can be consumed by the filtering and display functions, enabling log file reports to be NLM. This should help lessen the impact of scanning on a generated. One disadvantage is that the format of the log file heavily loaded server, at the expense of increasing the actual is not detailed anywhere, making it difficult to write scan time. Like the real-time scan, it is possible to select software to examine them automatically. On the other hand, between the global alert list and a custom list, and to select the configuration and filtering options cater for just about between scanning all servers or scanning particular items, any possibility. The final report can be printed, sent to disk which may be a server, a volume or even a particular or mailed to a user. One thing I would like to see is the directory (and, optionally, subdirectories). ability to run a report automatically, and mail the results.

The scheduled scan options are similar to the immediate Workstations equipped with Norton Anti-Virus are able to scan, with the ability to specify a time. The scheduler is very make use of the server-configured alert and logging mecha- flexible and will store a list of scheduled scans. Scans may nism, providing centralised collection of reports. be one time only or repeatable. One-time scans are erased from the list after execution. The scheduler allows timed The on-line help system was extremely well laid out and scans, with frequency specified in statements like: Monthly informative. In addition, a fairly good electronic virus on the 1st @ 3.00 AM. Such simplicity is excellent, encyclopaedia is included. This is, in fact, the list of viruses allowing a quick and easy interpretation of the current setup. for which the scanner searches, and includes basic information on virus types and triggers, in addition to other bits of general information. It is possible to remove a virus from the Actions to be Altered signature database, but I cannot really think of a good reason The Exclusions list option allows the list of file extensions to do this: if a file were genuinely causing false positives it which represent an executable to be altered, and permits would be better to try and exclude it from the scanning, specific areas of servers (perhaps those to which no user has rather than to remove the virus signature from the database. write access) to be excluded from a scan. These modifica- No option to add signatures into the database is provided. tions are global and apply to all types of scanning. Inoculation and Scanning The Upon Detection option controls the action to be taken if a virus is detected, including denying further access to the As well as scanning, NAV for NetWare offers a second form file, deleting the file, renaming the file, moving the file to a of protection, which it calls inoculation. This terminology quarantine directory, loading an NLM, and forcing a is something of a misnomer, as the protected files (which

must be executables) are not inoculated as such - inoculation usually refers to the process of adding code to a file which Norton Anti-Virus for NetWare supposedly protects it against infection, or which allows it to detect an infection. My guess is that in this case it means Detection Results (Secure mode): building a database of files, their locations and such details as size, dates, permissions and a checksum. NLM Scanner Standard Test-Set [1] 220/229 96.1% The inoculation feature could be a useful addition, as In the Wild Test-Set [2] 104/109 95.4% executables on a file server are extremely unlikely to change Polymorphic Test-Set [3] 350/450 77.8% under normal circumstances. Also, the checking is being done on the server from an NLM, so it is not possible for a DOS Scanner stealth virus to defeat the checking process (as happens with No workstation software is provided. simple schemes on workstations). Symantec would be well advised to expand upon exactly what this feature does. Scanning Speed: Scanning can be configured not only to check for signatures, Speed results for an NLM product are inappropriate, but also to check for files which either are not in the due to the multi-tasking nature of the operating inoculation database, or have changed their inoculation data. system. Full comparative speed results and over- On detecting an inoculation variation, it is possible to heads for all current NLMs will be printed in a forth- configure options similar to those for virus detection. coming VB review.

The package also contains what is perhaps the most idiotic feature I have ever seen - automatic inclusion of the new file Technical Details in the inoculation database, thus ensuring that any unknown Product: Norton Anti-Virus for NetWare file (which may be infected) is immediately marked as OK. I see very little justification for such a feature. If it is deemed Developer: Symantec Corporation (Peter Norton Group), 2500 an absolute necessity, it should be a Hold the button whilst Broadway, Suite 200, Santa Monica, California 90404, USA. I do it option, not a tick box which can be set for ever. If Tel. +1 503 334 6054, Fax +1 503 334 7400 you buy a guard dog, you must expect it to bark, and not UK Office: Symantec Northern Europe, Sygnus Court, Market muzzle it at the first noise. Street, Maidenhead, Berkshire, UK. Tel. +44 628 592222, Fax +44 628 592393 Updates to virus signatures are available quarterly on floppy Price: £729.50, US$1093.50 for a single server with unlimited disk by subscribing to the update disk service. The manual workstations, with monthly updates. mentions neither the cost of this service, nor whether or not Hardware used: Client machine - 33 MHz 486, 200 Mbyte IDE the updates are available electronically. drive, 16 Mbyte RAM.File server - 33 MHz 486, EISA bus, 32 bit caching disk controller, NetWare 3.11, 16 Mybte RAM. Results were obtained by setting up the real-time scanner and copying the test-sets to the file server. When tested in Each test-set contains genuine infections (in both COM and EXE the all files mode, detection of the polymorphic test-set format where appropriate) of the following viruses: was appalling, finding less than 1% of all samples. How- [1] Standard Test-Set: As printed in VB, February 1994, p.23 ever, once the files were renamed to their executable (file infectors only). extension, detection results improved. [2] In the Wild Test-Set: 4K (Frodo.Frodo.A), Barrotes.1310.A, BFD-451, Butterfly, Captain_Trips, Cascade.1701, Cas- Conclusions cade.1704, CMOS1-T1, CMOS1-T2, Coffeeshop, Dark_Avenger.1800.A, Dark_Avenger.2100.DI.A, I experienced two problems with the software: every time I Dark_Avenger.Father, Datalock.920.A, Dir-II.A, DOSHunter, ran it with Windows in standard mode, I experienced a Eddie-2.A, Fax_Free.Topo, Fichv.2.1, Flip.2153.E, General Protect fault in Windows. This did not happen in Green_Caterpillar.1575.A, Halloechen.A, Helloween.1376, Hidenowt, HLLC.Even_Beeper.A, Jerusalem.1808.Standard, enhanced mode. Additionally, the file server fell over with Jerusalem.Anticad, Jerusalem.PcVrsDs, a protection error twice when the NLM was loaded - this Jerusalem.Zerotime.Australian.A, Keypress.1232.A, was far more worrying. Whilst I cannot pin it down to the Liberty.2857.D, Maltese_Amoeba, Necros, No_Frills.843, NLM, this has never happened to me before with that No_Frills.Dudley, Nomenklatura, Nothing, Nov_17th.855.A, particular file server, or with any other product. Npox.963.A, Old_Yankee.1, Old_Yankee.2, Pitch, Piter.A, Power_Pump.1, Revenge, Screaming_Fist.II.696, Satanbug, SBC, Sibel_Sheep, Spanish_Telecom, Spanz, Starship, This product has a simply brilliant user interface and SVC.3103.A, Syslock.Macho, Tequila, Todor, Tremor (5), features set. Unfortunately, although its virus detection Vacsina.Penza.700, Vacsina.TP.5.A, Vienna.627.A, results are not disastrous, they are hardly awe-inspiring. It Vienna.648.A, Vienna.W-13.534.A, Vienna.W-13.507.B, seems to me rather odd that virus detection products tend Virdem.1336.English, Warrior, Whale, XPEH.4928 either to be brilliant in detection and appalling in user [3] Polymorphic Test-Set: The test-set consists of 450 genuine interface design, or a joy to use but not particularly good at samples of: Coffeeshop (375), Cruncher (25), Uruguay.4 (50). detecting viruses.

REVIEW

Virus: Prevention, Detection, As the video is designed as a one size fits all offering for a large number of different policies and companies, the pros Recovery and cons of different detection strategies are not touched upon. Rather, a feel is conveyed for the ways in which users can help solve the problem. Particular emphasis is placed on Following a spate of video nasties from a number of four things to do when discovering a virus, namely: different anti-virus software vendors, it was nice to have a vendor-independent choice on offer. The latest video is Do not spread panic produced and distributed by Commonwealth Films Inc, and claims to be The virus awareness and protection video for Stop using the affected PC the 1990s. Get expert help After a lurid yellow banner informing the viewer that he is Write down anything that appears on the screen being treated to a video recorded in MacroVision (what- Good advice, and a procedure which anyone involved in PC ever this may be), the video kicks off in a busy office, where technical support would welcome. Sarah, the secretary, has discovered her computer has a virus. Within minutes, the office grinds to a halt as she gathers an array of puzzled onlookers around her. Naturally, Cheap and Cheerful? Sarah makes several elementary mistakes - the rest of the Perhaps the most memorable part of the video is its price. video goes on to explain what she should have done. Training videos have seldom been cheap, and given that they can be used many times, spending a large amount of Target Audience money on a video which actually works can often be a highly cost-effective solution to the problem. However, Clearly Virus: Prevention, Detection, Recovery is aimed at Virus: Prevention, Detection, Recovery is priced at £675, the average PC LAN user, and as such avoids many of the which works out at over £30 per minute. technicalities and problems associated with the subject. This simplification is generally a good thing, however it is Were it the only offering on the market, this price tag could important that the process is not taken too far. One piece of be justified by a supply and demand argument. However, misinformation which the producers should never have with equally watchable offerings featuring such industry allowed to be included was a throwaway remark about luminaries as Wilf Hey (of PC Plus fame), Alan Solomon or viruses jumping off infected floppy disks. This is non- Jan Hruska, it is extremely difficult to see why Common- sense, and although it fits the simplistic tone of the other wealths offering costs so much. explanations, it is a myth which raises its head time and time again. A virus cannot do this: it must be executed, to spread. On the plus side, the video is well produced, and does seem to emphasize the right ideas. Viewers are not swamped by vast amounts of technical information, and the short length Particular emphasis is placed on of the film makes it ideal training material. In summary, four things to do when Virus: Prevention, Detection, Recovery is a well-focused production, but has a large question mark hanging above its discovering a virus head in terms of value for money. This criticism aside, the remainder of the video is enjoyable Video: Virus: Prevention, Detection, Recovery. to watch. Viewers are treated to a meeting with the fictitious Leo, the author of the Zoo virus. Under the guise of Format: VHS. Other formats available at additional charge. Leos bragging about his latest creation, Zoo.2, the impor- Running time: 22 minutes. tant facts about how viruses could get into the office are Price: £675 (VAT free). 2 copies 10% discount. 3 to 5 copies outlined, ranging from old favourites like the PC at home 15% discount. right down to shrink-wrapped software. UK Vendor: Commonwealth Films, 6a Old Dunleary Road, Dun Laoghair, Co. Dublin, Ireland. Tel. +353 1 280 0506 (UK only Leos character makes the video much more watchable, and 0800 387 458), Fax +353 1 284 2657. saves the user from the interminable droning of an industry Europe: Commonwealth Films, Stephanie Square, Avenue guru - while MIS managers need much more hard techni- Louise 65, bte. 11, 1050 Brussels, Belgium. Tel. +32 2 535 7888 Fax +32 2 535 7700. cal information, the average user is probably better off with an entertainingly-presented checklist. A little bit more USA: Commonwealth Films Inc, 223 Commonwealth Avenue, Boston, MA 02116, USA. emphasis on facts here would not go amiss, but overall this Tel. +1 (617) 262 5634, Fax +1 (617) 262 6948. section is good.

ADVISORY BOARD: SUBSCRIPTION RATES David M. Chess, IBM Research, USA Subscription price for 1 year (12 issues) including first- Phil Crewe, Ziff-Davis, UK class/airmail delivery: David Ferbrache, Defence Research Agency, UK Ray Glath, RG Software Inc., USA UK £195, Europe £225, International £245 (US$395) Hans Gliss, Datenschutz Berater, West Germany Igor Grebert, McAfee Associates, USA Editorial enquiries, subscription enquiries, orders and Ross M. Greenberg, Software Concepts Design, USA payments: Dr. Harold Joseph Highland, Compulit Microcomputer Virus Bulletin Ltd, 21 The Quadrant, Abingdon, Oxfordshire, Security Evaluation Laboratory, USA OX14 3YS, England Dr. Jan Hruska, Sophos Plc, UK Dr. Keith Jackson, Walsham Contracts, UK Tel. 0235 555139, International Tel. +44 235 555139 Owen Keane, Barrister, UK Fax 0235 559935, International Fax +44 235 559935 John Laws, Defence Research Agency, UK Email [email protected] Dr. Tony Pitt, Digital Equipment Corporation, UK CompuServe 100070,[email protected] Yisrael Radai, Hebrew University of Jerusalem, Israel US subscriptions only: Roger Riordan, Cybec Pty, Australia Martin Samociuk, Network Security Management, UK June Jordan, Virus Bulletin, 590 Danbury Road, Ridgefield, Eli Shapira, Central Point Software Inc, USA CT 06877, USA John Sherwood, Sherwood Associates, UK Prof. Eugene Spafford, Purdue University, USA Tel. +1 203 431 8720, Fax +1 203 431 8165 Dr. Peter Tippett, Symantec Corporation, USA Dr. Steve R. White, IBM Research, USA Joseph Wells, Symantec Corporation, USA Dr. Ken Wong, PA Consulting Group, UK Ken van Wyk, CERT, USA

No responsibility is assumed by the Publisher for any injury This publication has been registered with the Copyright Clearance Centre Ltd. and/or damage to persons or property as a matter of products Consent is given for copying of articles for personal or internal use, or for liability, negligence or otherwise, or from any use or personal use of specific clients. The consent is given on the condition that the operation of any methods, products, instructions or ideas copier pays through the Centre the per-copy fee stated on each page. contained in the material herein. END NOTES AND NEWS

Command Software has just announced its latest addition to its The Computer Security Institute (CSI) has released the 1994 edition of customer list: Microsoft. Rather than adopting the companys own its official Computer Security Products Buyers Guide. It now offers a anti-virus software MSAV, the software giant has standardised on NET- fax on demand service from 1 June through 31 August 1994. Further Prot and F-Prot Professional to protect its PCs [Is it possible that information available from the CSI. Tel. +1 415 905 2626. Microsoft has discovered a hidden security hole in MSAV? Users should be told! Ed.] The UK NCC (National Computing Centre) is holding management seminars on IT security on 13 July in Birmingham, 14 July in China is facing losing its most favoured nation trading status with the Manchester, 19 July in London, and 21 July in Glasgow. Details from USA unless it cracks down on piracy, according to the newspaper Jayne Howell. Tel. +44 (0)61 228 6333 Fax +44 (0)61 237 5330. China Daily on June 13. CD production in China presently stands at Microsoft MS-DOS v6.22 circa 100 million per year, including pirated disks selling at 10% of has announced the launch of , which does the original price. not include the controversial disk compression software (called Double Space) integral in v6.0 and v6.2. Microsofts latest version of MS-DOS The call for papers of the 1994 EICAR Conference has been contains a new disk compression system called DriveSpace, which announced. The conference will concentrate on methods of improving does not infringe Stacs patents. small system security, and will be held jointly by BP Oil and S&S Racal Electronics has acquired Airtech Computer Security Ltd: the International. The delegate fee for the two-day conference, to be held new group, Racal Airtech, will be headquartered in Oxford, England in Hemel Hemstead, England, is £595+VAT. Tel. 0296 318700. and will concentrate on the areas of system security, access control, A new Swedish organisation aimed at developing a more positive terminal security, and link encryption. image for BBSs has been set up. The group has proposed ethical Kevin Poulsen, known to the computer underground as Dark Dante, guidelines for BBS operators, banning software piracy, computer has pleaded guilty in a US federal court to charges of computer fraud, viruses and other malicious software, and child pornography. interception of wire communications, mail fraud, money laundering Cybec Pty Ltd have announced a new boot sector virus in Australia and obstruction of justice. It is alleged that he won two Porsches, two called Mongolian (due to the fact that it originated in that country). trips to Hawaii, and US$2000 under false pretences. He has also The virus overwrites the first 17 sectors of each partition on the hard admitted accessing computers to identify undercover businesses used disk, and then the Master Boot Record, if switched on on 30 May. by the FBI, to locate FBI wiretaps and to eavesdrop on private citizens. Poulsen faces up to 40 years in prison and a US$1.7 million fine. S&S International has once again announced a Trade-Up Pro- gramme, whereby users of competing products can change to Dr Sophos is holding a Computer Virus Workshop at the Sophos Solomons AVTK at a significantly reduced price. Users can now call training suite in Abingdon, near Oxford, on 27/28 July. Cost for one a Freephone number to receive free advice on viruses. Full details on day is £295.00 + VAT, and for both days £545.00 + VAT. For further 0800 136657 (UK only). Outside UK, Tel. +44 (0)296 318700. information, contact Karen Richardson. Tel. +44 (0)235 559933.